Solved

NTFS permission

Posted on 2010-09-13
7
742 Views
Last Modified: 2013-12-04
We failed on backup job due to many Access Denied files.
Because there are many folders/files, it is impossible to add it one by one manually.
How can we add domain admins group to all folders/files with out affect existing NTFS security permissions?
We are using 2003R2 server in AD environment.
Thank you.
0
Comment
Question by:dickchan
7 Comments
 
LVL 20

Expert Comment

by:wolfcamel
Comment Utility
sounds like you may need to revisit the entire structure of your security and inheritance etc.

If you add the admin at the root you still wont have access to folders where the admin has been removed, and inheritance turned off.

0
 
LVL 63

Accepted Solution

by:
SysExpert earned 100 total points
Comment Utility
Backup Admin should always have access to everything, and  you need to make sure it is set that way.

CACLS and similar may be helpful.
test carefully before implementing.

I hope this helps !
0
 
LVL 6

Assisted Solution

by:avishar
avishar earned 100 total points
Comment Utility
Use "modacl" , using this utility you can apply/remove permission of a group recursively or otherwise on a folder without affecting the existing permission.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 6

Expert Comment

by:avishar
Comment Utility
If you decide to use modacl then download SuperCACLs 3.0 from Trusted Systems Services..
0
 
LVL 4

Assisted Solution

by:majidhajali
majidhajali earned 100 total points
Comment Utility
Users of Backup Operators group have access to all files and folders whether they have NTFS permission on that folder/file or not. I suggest you create a user and put that user in Backup Operators group and run the backup tasks with delegation of that user.
0
 
LVL 4

Assisted Solution

by:ashaw2009
ashaw2009 earned 100 total points
Comment Utility
Firstly check what account you are using to run the backup job, then add that account to the local servers backup operators group:
Start > Run > compmgmt.msc > System Tools > Local Users and Groups > backup operators

Second check your VSS writers are stable.
Start >run> CMD > Vssadmin List Writers
Each writer should come back as Stable and No errors. If the writers are in a failed state you may need to restart the server or take further action.

Third check the Volume shadow copy service is set to start Manually and the logon account is the system account:

Start >run>services.msc>Volume Shadow Copy service
0
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 100 total points
Comment Utility
I would recommend SubInACL from Microsoft. It is easy in use and very powerful. You can download it at
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now